Servlet Filter Parameter Sanitization

Usage

The purpose of the parameter sanitization servlet filter is to prevent the possibility of cross-site scripting (XSS) attacks.

To accomplish this task:

  • The administrator chooses HTTP request parameters (sent via an HTTP URL query or an HTTP request body) that might be displayed at the Web page and lists them in the Web application’s configuration file.

  • The servlet filter removes potentially harmful characters without replacing them.

  • A custom filter can be set individually for each parameter or for a list of parameters.

  • For a single parameter use the filtered.keys.<parameter> format in the filter parameters.

  • For a list of parameters use the filtered.keys.[<parameter1>,<parameter2>] format.

  • A default filter can be employed, to filter every other unlisted parameter, the configuration parameter to be used is defaultFilter.

  • If the default filter is empty or omitted, only the listed parameters will be filtered.

The parameters names are case-sensitive!

The servlet filter processes parameters according to the configured servlet filter
chain; hence, this change affects any other operations.

Enablement

All DirX Access Server web applications contain the ServletFilterParameterSanitization filter and the respective filter-mapping to sanitize all input parameters.

The filter and filter-mapping should be uncommented in all intended deployment descriptor (web.xml) files of web applications of all DirX Access Server instances and customized according the intended Usage.

The DirX Access Server instances must be restarted.